


FEDERAL PROPERTY MANAGEMENT REGULATIONS 
TEMPORARY REGULATION E-43 


TO : Heads of Federal agencies 

SUBJECT: Protection of privacy and data security 

1. Purpose. This temporary regulation sets forth rules 
and procedures relevant to protection of privacy and data 
security in accordance with the Privacy Act of 1974. 

2. Effective date. This regulation is effective September 27, 
1975 : 

3. Expiration date. This regulation expires March 31, 1976. 

4. Background , The Privacy Act of 1974 sets forth certain 
safeguards for an individual against an invasion of personal 
privacy by requiring Federal agencies to abide by the provi- 
sions of the act. This regulation informs the agencies of 
GSA's privacy safeguards concerning ADP and telecommunications. 

5. General. This regulation sets forth rules and procedures 
to be followed by agencies in making use of, or providing, 
interagency ADP services. This regulation applies to inter- 
agency, intra-agency, and commercial ADP service arrangements. 
This regulation also sets forth the procedures to be followed 
by agencies in preparing solicitation documents for procuring 
ADP equipment, software, and services and telecommunications 
facilities and services. 

6. Applicability. The provisions of this regulation apply 
to all Federal agencies . 

7. Definitions . For the purpose of this temporary regulation 
the following terms shall have the meaning set forth below: 

a. The term "agency" means agency as defined in the 
Privacy Act of 1974. 

b. The term "individual" means a citizen of the United 
States or an alien lawfully admitted for permanent residence. 



Approved For Release 2003/08/20 : CIA-RDP84-00933R000300240005-0 


- Approved Fo*£elease 2003/08/20 : CIA-RDP84-0093^000300240005-0 


FPMR Temp. Reg. E-43 


October 9, 1975 


c. The term "maintain” includes maintain , collect, 
use, or disseminate. 

d. The term "record" means any item, collection, or 

grouping of information about an individual that is maintame 
by an agency, including, but not limited to, his education, 
financial transactions, medical history, and criminal or 
employment history and that contains his name or the 
identifying number, symbol, or other identifying particular 
assigned to the individual, such as a finger or |voice^ prinp j 
or a photograph. oJt \ 

e. The term "system of records" means a group of any 
records under the control of any agency from which information 

is retrieved by the name of the individual or by some identifyi n g 

number , symbol, or other identifying particular assigned to 
the Individual . ’ 

f. The term "threats and hazards" means man-made or 
natural events, the occurrence of which may result in the 
loss, alteration, or unauthorized access to data. 

a The term "safeguards" means those procedures, methods, 
and devices which have as their specific function the prevention 
or mitigation of the effects of threats and hazards. 

h. The term "rules of conduct" means those administrative 
procedures, methods of work, and standards of conduct which 
together define the manner in which persons involved in the 
design, development, operation, or maintenance of systems of 
records will maintain, collect, use, or disseminate such records. 

i. The term "Government contractor" means any individual 
or other entity who contracts to operate by or on behalf o 

an agency a system of records to accomplish an agency function. 

8. Security and privacy requirements. 

a. The Privacy Act of 1974, 5 U.S.C. 552a, requires that 
each agency t hat maintains a system of records shall; 

(1) Maintain in its records only such information about 
an individual as is relevant and necessary J^compiish a 

purpose of the agency required to be Su t ?£ us 
by Executive order of the President (5 U.S.C. 552a (e) (10) ) . Thus 
protection of privacy is promoted by limiting the amount of 
information maintained. 
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(2) Establish rules of conduct for $ the 
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10. User agency responsibilities. A user agency shall: 

a. Determine its data confidentiality and security 
requirements before storing or processing systems of records 
at a provider agency's facility; 


b. Include in its screening of ADP resources an exami- 
nation of the ability of each resource to meet its data confi- 
dentiality and security requirements (Specifically, the adequacy 
of available technical, administrative, and physical safeguards 
to counter anticipated threats and hazards must be evaluated.). 


c* Satisfy itself that the rules of conduct governing 
the activities of personnel of the provider agency are 
commensurate with its data confidentiality and security 
requirements ; 

d. Obtain services from only those provider agencies 
that fully meet the user agency's data confidentiality and 
security requirements; 
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e. Recognize that the records it. stores or processes 
at the facility of a provider agency will be considered to 
be maintained by the user agency; and 

f. Establish written rules governing the disclosure by 
a provider agency of records considered to be maintained by 
the user agency. 


11 . Provider agency responsibilities. A provider agency shall: 


a. As specified in 8a, above, develop rules of conduct 
for personnel involved in design, development, operation, or 
maintenance of equipment, systems, or services used to 
store or process systems of records; 


b. In accordance with 8a, above, undertake a continuing 
program of review of its operations to ensure that threats 
and hazards to data confidentiality and security are properly 
identified and that appropriate safeguards are implemented; 


c. Make available rules of conduct and information on 
safeguards to user agencies; 
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d. Refrain from disclosing any records stored or processed 
for a user agency except to that agency or under written rules 
established and provided by that user agency; and 

e. Make known to user agencies changes in its percep- 
tion of threats and hazards to data confidentiality and 
security or any changes in the safeguards implemented to 
protect against those threats and hazards. User agencies 
may use information on such changes to reevaluate its usage 
of the provider agency's services. 

12. Contractors' responsibilities. Subsequent to the effective 
date of the act, all persons, including contractors, who are 
involved in the design, development, operation, or maintenance 
of any system of records, or the maintenance of any record, 

are subject to the applicable provisions of the act, including 
the agency rules of conduct. In addition, pursuant to 5 U.S.C. 
552a (m). Government contractors, as defined in Section 7(i), 
above, and their employees are also subject to the criminal 
sanctions of 5 U.S.C. 552a(i). 

13. Solicitation documents. 

a. Agencies authorized to procure ADP equipment, software, 
or services in accordance with 41 CFR 101-32 or to procure 
telecommunications equipment or services in accordance with 

41 CFR 101-35 sha ll include in their solicitation documents; 

(1) Agency rules of conduct which a contractor and 
his employees shall be required to adhere to; 

(2) A list of the anticipated threats and hazards 
which are pertinent to the contemplated procurement and 
which the contractor must safeguard against; 

(3) A description of the safeguards which the agency 
specifically requires the contractor to provide; and 

(4) A notice that under 5 U.S.C. 552a (m) of the act 
Government contractors and any employees of such contractors 
are subject to the criminal penalties of 5 U.S.C. 552a(i). 

b. Agencies shall also: 

(1) Evaluate vendor proposals to determine the adequacy 
of the safeguards proposed in meeting the anticipated threats 
or hazards to the security and integrity of records; 
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(2) Verify that any safeguards proposed by an offeror 
before award of a contract are in use and effective before 
commencing work under the contract; 

(3) Identify in the specification and contract the test 
methods, procedures, and criteria to be used to verify that 

all safeguards have in fact been provided; 

(4) Verify that any safeguards provided as a result of 
work done under the contract are effective? and 

(5) Include in the system specifications and contract 
the requirements of the Government for a program of subsequent 
inspection that will be followed to ensure the continued efficacy 
and efficiency of safeguards and the discovery and countering of 
new threats and hazards. 

14. Agency comments. Comments concerning the effect or impact 
of this regulation on agency operations or programs should be 
submitted to the General Services Administration (CP) , 

Washington, DC 20405, no later than October 31, 1975. 
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